Meet the expert: Joseph Gridley to speak at PrivSec Global

Streaming live November 29 and 30, PrivSec Global unites experts from both Privacy and Security, providing a forum where professionals across both fields can listen, learn and debate the central role that Privacy, Security and GRC play in business today.

Joseph Gridley is Chief Data Privacy Officer at the University of Maryland. Prior to his time at UMD, Josepth worked at Penn State as an Assistant Chief Privacy Officer, HIPAA Security Officer, and IT Compliance manager. 

Before his career in higher education, Joseph was an attorney in the software and finance industries, where he built and supported several data governance and compliance programs for SaaS solutions.

Joseph Gridley appears exclusively at PrivSec Global to discuss the challenges that US education institutions face as they move to reconcile transparency with student privacy. 

Below, Joseph talks about his career to date and introduces some of the key themes of his  PrivSec Global panel session.

Could you outline your career pathway so far? 

My career actually began as an attorney in a small trust administration and (eventually) fintech company, where I helped develop control sets and guidance for contractually controlled financial data. 

From there, I wound up in-house counsel at a long-lived software company moving to their legacy products to the cloud. Again, I found myself developing control sets and guidance for an IT compliance program to satisfy customers in defence, healthcare, and finance. 

Around that time, Penn State was hiring for an IT Compliance manager, and I decided to make the career (and industry) shift. At Penn State, my role slowly grew to also encompass privacy responsibilities, leading me to become an Assistant CPO; and, when the University of Maryland reached out to advertise their inaugural Chief Data Privacy Officer role, I thought the chance was too good to pass up.

What events in recent years have served to highlight the difficulties public schools and students face when it comes to student privacy? 

There have been many industry shifts in recent years that I think demonstrate the difficulties for institutions (both primary school and higher ed) - for example, the change to cloud-first IT models has meant that students’ (and parents’) data is no longer solely in the hands of the institution they interact with directly. 

The use of third party services for what had previously been locally installed (and controlled) software increases the threat surface and introduces complex contract terms that most organizations aren’t prepared to parse or operationalize. This is especially true for schools that are often under-resourced and struggling just to meet the needs of their students (both at the primary and secondary levels). 

Additionally, regulations related to data-handling have grown almost exponentially, introducing confusion for any organization dealing with students from more than 1 state, as well as introducing confusion to the data subjects; after all, how can a student/parent be expected to know and understand their rights under 50+ different regulatory regimes? 

Finally, threat actors are beginning to target smaller institutions of higher education and primary schools for cyberattacks - just a couple of months ago a local school district suffered a breach of around 4500 records. This isn’t just a problem for the institution’s finances (though notification costs and credit monitoring certainly add up), but it’s also significantly damaging for the trust the community might have had in the institution’s ability to properly handle their data - and, as our industry moves more toward behavioural modelling and predictive analytics, that trust will be crucial.

What challenges must be overcome for schools to strike a balance between the need for public transparency and student confidentiality? 

The biggest challenge to overcome here is actually related to the risk/security/privacy/compliance/etc. professionals that support their institutions’ operations - there is a temptation for the folks working in this space to put their specific domain first (privacy first, security first, etc.).

However, that’s not the set of priorities that match any organization’s mission - the mission of most schools is at least partially (if not wholly) education. This means that, as professionals in this space, we need to be thinking about the mission first - this helps to fit ourselves into a strategic support role, and builds the political and cultural capital needed to get your initiatives done.

More existential concerns around privacy and data use are also surfacing in the use of AI (generative or otherwise) - communities are greatly affected by the outputs AI tools might have, but they’re not engaged or consulted in any meaningful way. 

The general public is already waking up to that fact, and governments all over the world are looking at ways to protect their citizens - including, of course, students and parents. Balancing the risks AI can have against the benefit these tools can bring is going to be critical for any program addressing data-related risks. There’s no stopping the AI train we’re on now - we, as risk/security/privacy/compliance/etc. professionals need to be thinking in terms of what we can do to keep the train on the tracks.